Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: waffle-jetty

com.github.waffle:waffle-jetty:3.3.1-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
apache-jsp-10.0.19.jarcpe:2.3:a:eclipse:jetty:10.0.19:*:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:10.0.19:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:10.0.19:*:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty/apache-jsp@10.0.19 0Highest39
asm-9.6.jarpkg:maven/org.ow2.asm/asm@9.6 054
asm-commons-9.6.jarpkg:maven/org.ow2.asm/asm-commons@9.6 058
asm-tree-9.6.jarpkg:maven/org.ow2.asm/asm-tree@9.6 058
byte-buddy-1.14.11.jarpkg:maven/net.bytebuddy/byte-buddy@1.14.11 029
byte-buddy-agent-1.14.11.jarpkg:maven/net.bytebuddy/byte-buddy-agent@1.14.11 033
byte-buddy-agent-1.14.11.jar: attach_hotspot_windows.dll 02
byte-buddy-agent-1.14.11.jar: attach_hotspot_windows.dll 02
caffeine-3.1.8.jarpkg:maven/com.github.ben-manes.caffeine/caffeine@3.1.8 037
checker-qual-3.42.0.jarpkg:maven/org.checkerframework/checker-qual@3.42.0 046
com.github.waffle:waffle-jna:3.3.1-SNAPSHOTpkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT 06
ecj-3.33.0.jarpkg:maven/org.eclipse.jdt/ecj@3.33.0 036
error_prone_annotations-2.24.1.jarpkg:maven/com.google.errorprone/error_prone_annotations@2.24.1 029
j2objc-annotations-2.8.jarpkg:maven/com.google.j2objc/j2objc-annotations@2.8 024
jakarta.annotation-api-1.3.5.jarcpe:2.3:a:oracle:projects:1.3.5:*:*:*:*:*:*:*pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5 0Low35
jakarta.el-3.0.4.jarcpe:2.3:a:eclipse:glassfish:3.0.4:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jakarta_expression_language:3.0.4:*:*:*:*:*:*:*		pkg:maven/org.glassfish/jakarta.el@3.0.4 0Highest46
jakarta.el-api-3.0.3.jarcpe:2.3:a:eclipse:jakarta_expression_language:3.0.3:*:*:*:*:*:*:*pkg:maven/jakarta.el/jakarta.el-api@3.0.3 0Low43
jakarta.servlet-api-4.0.2.jarcpe:2.3:a:oracle:java_se:4.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:projects:4.0.2:*:*:*:*:*:*:*		pkg:maven/jakarta.servlet/jakarta.servlet-api@4.0.2 0Medium41
jakarta.servlet.jsp-2.3.6.jarcpe:2.3:a:eclipse:glassfish:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:web_project:web:2.3.6:*:*:*:*:*:*:*		pkg:maven/org.glassfish.web/jakarta.servlet.jsp@2.3.6 0Highest47
jakarta.servlet.jsp-api-2.3.6.jarcpe:2.3:a:oracle:jsp:2.3.6:*:*:*:*:*:*:*pkg:maven/jakarta.servlet.jsp/jakarta.servlet.jsp-api@2.3.6 0Medium45
jakarta.servlet.jsp.jstl-1.2.6.jarcpe:2.3:a:eclipse:glassfish:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jsp:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:web_project:web:1.2.6:*:*:*:*:*:*:*		pkg:maven/org.glassfish.web/jakarta.servlet.jsp.jstl@1.2.6 0Highest48
jakarta.servlet.jsp.jstl-api-1.2.4.jarcpe:2.3:a:oracle:java_se:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jsp:1.2.4:*:*:*:*:*:*:*		pkg:maven/jakarta.servlet.jsp.jstl/jakarta.servlet.jsp.jstl-api@1.2.4 0Medium47
jcl-over-slf4j-2.0.11.jarpkg:maven/org.slf4j/jcl-over-slf4j@2.0.11 031
jetty-io-10.0.19.jarcpe:2.3:a:eclipse:jetty:10.0.19:*:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:10.0.19:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:10.0.19:*:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty/jetty-io@10.0.19 0Highest35
jetty-server-10.0.19.jarcpe:2.3:a:eclipse:jetty:10.0.19:*:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:10.0.19:*:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty_http_server:10.0.19:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:10.0.19:*:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty/jetty-server@10.0.19 0Highest35
jetty-servlet-api-4.0.6.jarcpe:2.3:a:eclipse:jetty:4.0.6:*:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:4.0.6:*:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6CRITICAL*14Highest26
jna-5.14.0.jarcpe:2.3:a:oracle:java_se:5.14.0:*:*:*:*:*:*:*pkg:maven/net.java.dev.jna/jna@5.14.0 0Low48
jna-5.14.0.jar: jnidispatch.dll 02
jna-5.14.0.jar: jnidispatch.dll 02
jna-5.14.0.jar: jnidispatch.dll 02
jna-platform-5.14.0.jarpkg:maven/net.java.dev.jna/jna-platform@5.14.0 044
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
slf4j-api-2.0.11.jarpkg:maven/org.slf4j/slf4j-api@2.0.11 029
spotbugs-annotations-4.8.3.jarpkg:maven/com.github.spotbugs/spotbugs-annotations@4.8.3 053

* indicates the dependency has a known exploited vulnerability

Dependencies (vulnerable)

apache-jsp-10.0.19.jar

Description:

Jetty-specific ServletContainerInitializer for Jasper

License:

https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/eclipse/jetty/apache-jsp/10.0.19/apache-jsp-10.0.19.jar
MD5: f2c8f0dc627514318c6528139622e7d6
SHA1: 9055d4f466701d031359aef22f6cecac679e5ba3
SHA256:daf8c88e1dfa0ff68090beb6cea3dea4d56e20cdbe0f7f4e2546ef6716466247
Referenced In Project/Scope: waffle-jetty:provided
apache-jsp-10.0.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

asm-9.6.jar

Description:

ASM, a very small and fast Java bytecode manipulation framework

License:

BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm/9.6/asm-9.6.jar
MD5: 6f8bccf756f170d4185bb24c8c2d2020
SHA1: aa205cf0a06dbd8e04ece91c0b37c3f5d567546a
SHA256:3c6fac2424db3d4a853b669f4e3d1d9c3c552235e19a319673f887083c2303a1
Referenced In Project/Scope: waffle-jetty:provided
asm-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.ow2.asm/asm-commons@9.6

Identifiers

asm-commons-9.6.jar

Description:

Usefull class adapters based on ASM, a very small and fast Java bytecode manipulation framework

License:

BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm-commons/9.6/asm-commons-9.6.jar
MD5: 9e317c75534bd1da8c00a67c618ab288
SHA1: f1a9e5508eff490744144565c47326c8648be309
SHA256:7aefd0d5c0901701c69f7513feda765fb6be33af2ce7aa17c5781fc87657c511
Referenced In Project/Scope: waffle-jetty:provided
asm-commons-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

asm-tree-9.6.jar

Description:

Tree API of ASM, a very small and fast Java bytecode manipulation framework

License:

BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm-tree/9.6/asm-tree-9.6.jar
MD5: 6062608f1a98afe1e853d01fa1221a9e
SHA1: c0cdda9d211e965d2a4448aa3fd86110f2f8c2de
SHA256:c43ecf17b539c777e15da7b5b86553b377e2d39a683de6285567d5283888e7ef
Referenced In Project/Scope: waffle-jetty:provided
asm-tree-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.ow2.asm/asm-commons@9.6

Identifiers

byte-buddy-1.14.11.jar

Description:

        Byte Buddy is a Java library for creating Java classes at run time.
        This artifact is a build of Byte Buddy with all ASM dependencies repackaged into its own name space.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy/1.14.11/byte-buddy-1.14.11.jar
MD5: c28e36075a114b176953fc10a5370be7
SHA1: 725602eb7c8c56b51b9c21f273f9df5c909d9e7d
SHA256:62ae28187ed2b062813da6a9d567bfee733c341582699b62dd980230729a0313
Referenced In Project/Scope: waffle-jetty:compile
byte-buddy-1.14.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

byte-buddy-agent-1.14.11.jar

Description:

The Byte Buddy agent offers convenience for attaching an agent to the local or a remote VM.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy-agent/1.14.11/byte-buddy-agent-1.14.11.jar
MD5: 0de12734d808654692599b08ccd84020
SHA1: f9cb566608fbac6bc7bf54901a7aa11543a989ee
SHA256:2f537a621a64fa7013d68c695a76a34ee8d79dad74e635caca16dd56257aeb80
Referenced In Project/Scope: waffle-jetty:compile
byte-buddy-agent-1.14.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

byte-buddy-agent-1.14.11.jar: attach_hotspot_windows.dll

File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy-agent/1.14.11/byte-buddy-agent-1.14.11.jar/win32-x86-64/attach_hotspot_windows.dll
MD5: 053a783e5777c6a9867c27d51af89677
SHA1: 5ef4d98ae6a033a5707d0b5466e6138beb337e76
SHA256:16d424423f9b09accf132ad35dbeaa52ac9f6bd45bba1406b89df851f651db20
Referenced In Project/Scope: waffle-jetty:compile

Identifiers

  • None

byte-buddy-agent-1.14.11.jar: attach_hotspot_windows.dll

File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy-agent/1.14.11/byte-buddy-agent-1.14.11.jar/win32-x86/attach_hotspot_windows.dll
MD5: fbca33102ac97be0ed496c0f78e466b3
SHA1: c4df05146a86a6d073769bb697d550ef42518ed5
SHA256:810f94c4a2f5ca1a072c19859f7954fed9aa3a1dcb0d601e92d2338793202e72
Referenced In Project/Scope: waffle-jetty:compile

Identifiers

  • None

caffeine-3.1.8.jar

Description:

A high performance caching library

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/github/ben-manes/caffeine/caffeine/3.1.8/caffeine-3.1.8.jar
MD5: b19301179903e8781776397d9923f7c8
SHA1: 24795585df8afaf70a2cd534786904ea5889c047
SHA256:7dd15f9df1be238ffaa367ce6f556737a88031de4294dad18eef57c474ddf1d3
Referenced In Project/Scope: waffle-jetty:compile
caffeine-3.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT

Identifiers

checker-qual-3.42.0.jar

Description:

checker-qual contains annotations (type qualifiers) that a programmer
writes to specify Java code for type-checking by the Checker Framework.

License:

The MIT License: http://opensource.org/licenses/MIT
File Path: /home/runner/.m2/repository/org/checkerframework/checker-qual/3.42.0/checker-qual-3.42.0.jar
MD5: 4c55448dcbfe9c3702f7758fc8fe0086
SHA1: 638ec33f363a94d41a4f03c3e7d3dcfba64e402d
SHA256:ccaedd33af0b7894d9f2f3b644f4d19e43928e32902e61ac4d10777830f5aac7
Referenced In Project/Scope: waffle-jetty:compile
checker-qual-3.42.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT

Identifiers

com.github.waffle:waffle-jna:3.3.1-SNAPSHOT

Description:

WAFFLE JNA implementation

License:

MIT https://raw.github.com/Waffle/waffle/master/LICENSE
File Path: /home/runner/work/waffle/waffle/Source/JNA/waffle-jna/pom.xml

Referenced In Project/Scope: waffle-jetty
com.github.waffle:waffle-jna:3.3.1-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

ecj-3.33.0.jar

Description:

Eclipse Compiler for Java(TM)

License:

Eclipse Public License - v 2.0: https://www.eclipse.org/legal/epl-2.0/
File Path: /home/runner/.m2/repository/org/eclipse/jdt/ecj/3.33.0/ecj-3.33.0.jar
MD5: 8f97ca731449b0dd4cbf23aa34774c6f
SHA1: 4041d27ffea3c9351e3121f9bfe94dea4723d583
SHA256:f7686c4960cf70c2ebc5c500a73a8cfc04541b730c18f1c5c21329889b137f45
Referenced In Project/Scope: waffle-jetty:provided
ecj-3.33.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

error_prone_annotations-2.24.1.jar

Description:

Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time.

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/errorprone/error_prone_annotations/2.24.1/error_prone_annotations-2.24.1.jar
MD5: 345bbebec9b3c68d2638c0f6809436dc
SHA1: 32b299e45105aa9b0df8279c74dc1edfcf313ff0
SHA256:19fe2f7155d20ea093168527999da98108103ee546d1e8b726bc4b27c31a3c30
Referenced In Project/Scope: waffle-jetty:provided
error_prone_annotations-2.24.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

j2objc-annotations-2.8.jar

Description:

    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/j2objc/j2objc-annotations/2.8/j2objc-annotations-2.8.jar
MD5: c50af69b704dc91050efb98e0dff66d1
SHA1: c85270e307e7b822f1086b93689124b89768e273
SHA256:f02a95fa1a5e95edb3ed859fd0fb7df709d121a35290eff8b74dce2ab7f4d6ed
Referenced In Project/Scope: waffle-jetty:provided
j2objc-annotations-2.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

jakarta.annotation-api-1.3.5.jar

Description:

Jakarta Annotations API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/runner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
MD5: 8b165cf58df5f8c2a222f637c0a07c97
SHA1: 59eb84ee0d616332ff44aba065f3888cf002cd2d
SHA256:85fb03fc054cdf4efca8efd9b6712bbb418e1ab98241c4539c8585bbc23e1b8a
Referenced In Project/Scope: waffle-jetty:provided
jakarta.annotation-api-1.3.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

jakarta.el-3.0.4.jar

Description:

        Jakarta Expression Language provides a specification document, API, reference implementation and TCK 
        that describes an expression language for Java applications.

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/runner/.m2/repository/org/glassfish/jakarta.el/3.0.4/jakarta.el-3.0.4.jar
MD5: a4ff0d711c405e054f8166c2ea893e0e
SHA1: f48473482c0e3e714f87186d9305bcae30b7f5cb
SHA256:3b8d4311b47fb47d168ad4338b6649a7cc21d5066b9765bd28ebca93148064be
Referenced In Project/Scope: waffle-jetty:provided
jakarta.el-3.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

jakarta.el-api-3.0.3.jar

Description:

        Jakarta Expression Language defines an expression language for Java applications

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/runner/.m2/repository/jakarta/el/jakarta.el-api/3.0.3/jakarta.el-api-3.0.3.jar
MD5: 528ed6138395d22fb54912b2b889e88e
SHA1: f311ab94bb1d4380690a53d737226a6b879dd4f1
SHA256:47ae0a91fb6dd32fdaa5d9bda63df043ac8148e00c297ccce8ab9c56b95cf261
Referenced In Project/Scope: waffle-jetty:provided
jakarta.el-api-3.0.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

jakarta.servlet-api-4.0.2.jar

Description:

Java(TM) Servlet 4.0 API Design Specification

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/runner/.m2/repository/jakarta/servlet/jakarta.servlet-api/4.0.2/jakarta.servlet-api-4.0.2.jar
MD5: 75523dea16c815e4b111796ea1679b1b
SHA1: 60da427ed588aa0cf70cb6cb7209c31e83069364
SHA256:0cd32c92320ae92c8692ef326dfeef756e97760251fca0c45472f299f1c3c916
Referenced In Project/Scope: waffle-jetty:provided
jakarta.servlet-api-4.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.web/jakarta.servlet.jsp.jstl@1.2.6

Identifiers

jakarta.servlet.jsp-2.3.6.jar

Description:

JavaServer Pages API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/runner/.m2/repository/org/glassfish/web/jakarta.servlet.jsp/2.3.6/jakarta.servlet.jsp-2.3.6.jar
MD5: 16d8baeceb5503f066c61582085c75cb
SHA1: 13192d5874b787c0ce0c70b35e95181e8b683a1c
SHA256:990af769158db75833fe8b4d1e56ea778246bc3c6522d434369f1a0bcebf8582
Referenced In Project/Scope: waffle-jetty:provided
jakarta.servlet.jsp-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

jakarta.servlet.jsp-api-2.3.6.jar

Description:

Jakarta Server Pages API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/runner/.m2/repository/jakarta/servlet/jsp/jakarta.servlet.jsp-api/2.3.6/jakarta.servlet.jsp-api-2.3.6.jar
MD5: 07e4d801fad7599ae858cb6b779b5168
SHA1: ee48550ece1af1e0d8bd4877dbc6da5c29c5496b
SHA256:e915fa9db7245592460dfaf1a2df9cdfe800cc3976562ed492870db56369dde9
Referenced In Project/Scope: waffle-jetty:provided
jakarta.servlet.jsp-api-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

jakarta.servlet.jsp.jstl-1.2.6.jar

Description:

JavaServer Pages(TM) Standard Tag Library API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/runner/.m2/repository/org/glassfish/web/jakarta.servlet.jsp.jstl/1.2.6/jakarta.servlet.jsp.jstl-1.2.6.jar
MD5: 7058e8ed0b161b729e6134784750d22b
SHA1: f5a092de3b2b087c14ca4b8d6f2c77a1f6802828
SHA256:3b697c6cdf4d28de185e07d63f3682728b5a2b1dd229f5f9deb9b930d64b484a
Referenced In Project/Scope: waffle-jetty:provided
jakarta.servlet.jsp.jstl-1.2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers

jakarta.servlet.jsp.jstl-api-1.2.4.jar

Description:

JavaServer Pages(TM) Standard Tag Library API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/runner/.m2/repository/jakarta/servlet/jsp/jstl/jakarta.servlet.jsp.jstl-api/1.2.4/jakarta.servlet.jsp.jstl-api-1.2.4.jar
MD5: 5b4683c3a614b37a5de721817e792024
SHA1: 9d23cda192df1192894277fd9d0710abb61329af
SHA256:57122ab0151f82e716d825e65627e8064eb108dbeaafafa780687d61d5359454
Referenced In Project/Scope: waffle-jetty:provided
jakarta.servlet.jsp.jstl-api-1.2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.web/jakarta.servlet.jsp.jstl@1.2.6

Identifiers

jcl-over-slf4j-2.0.11.jar

Description:

JCL 1.2 implemented over SLF4J

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/slf4j/jcl-over-slf4j/2.0.11/jcl-over-slf4j-2.0.11.jar
MD5: 7ad2cbcec0efd8cfc8f3a6dfacfc5829
SHA1: f6226edb8c85f8c9f1f75ec4b0252c02f589478a
SHA256:55e96f9830d732c81f0709e9090f308798381be7dc5aa67dd423c02831b5b4bb
Referenced In Project/Scope: waffle-jetty:compile
jcl-over-slf4j-2.0.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT

Identifiers

jetty-io-10.0.19.jar

Description:

Jetty module for Jetty :: IO Utility

License:

https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/eclipse/jetty/jetty-io/10.0.19/jetty-io-10.0.19.jar
MD5: 2a17076c238062f9d3ef947282347d3b
SHA1: 1a08ba2c33c92d7d1f2a9dd8b87653c237756921
SHA256:4ec28fd3717eebfa3b3ac3d692d89889ac0a5282ba129b7d7ce4682abe778158
Referenced In Project/Scope: waffle-jetty:provided
jetty-io-10.0.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty/jetty-client@10.0.19

Identifiers

jetty-server-10.0.19.jar

Description:

The core jetty server artifact.

License:

https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/eclipse/jetty/jetty-server/10.0.19/jetty-server-10.0.19.jar
MD5: 885901771fa61efe91135936572573e5
SHA1: 5a0f3f4118cd80cbdfa38f162e1ccd50afc8cae6
SHA256:f61b8eace7df3f9394db0e7e1e00f8db2fed4ecda57f269720b80f394ba9d46a
Referenced In Project/Scope: waffle-jetty:provided
jetty-server-10.0.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty/jetty-servlet@10.0.19

Identifiers

jetty-servlet-api-4.0.6.jar

Description:

Combined servlet api and schemas for use in JPMS and OSGi environments

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/runner/.m2/repository/org/eclipse/jetty/toolchain/jetty-servlet-api/4.0.6/jetty-servlet-api-4.0.6.jar
MD5: d63413e02885c25d0129e3d2936606f6
SHA1: 959c5d83d08f5cddf56caff749e48b735193191b
SHA256:d90bf1f8a9d2ba89f4510bb51e1516dcf94ef6dc034e00f233654abdd78f2210
Referenced In Project/Scope: waffle-jetty:provided
jetty-servlet-api-4.0.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty/apache-jsp@10.0.19

Identifiers

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2009-5045  

Dump Servlet information leak in jetty before 6.1.22.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CWE-203 Observable Discrepancy

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2048  

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2023-44487  

CISA Known Exploited Vulnerability:
  • Product: IETF HTTP/2
  • Name: HTTP/2 Rapid Reset Attack Vulnerability
  • Date Added: 2023-10-10
  • Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
  • Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
  • Due Date: 2023-10-31
  • Notes: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.0/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2009-5046  

JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2021-28169  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
NVD-CWE-Other, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2023-26048  

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2023-26049  

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-34428  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CWE-613 Insufficient Session Expiration

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:0.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2047  

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: LOW (2.7)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:1.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

jna-5.14.0.jar

Description:

Java Native Access

License:

LGPL-2.1-or-later: https://www.gnu.org/licenses/old-licenses/lgpl-2.1
Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.14.0/jna-5.14.0.jar
MD5: 8b3cc652920435ad9f801e6d9b2a3497
SHA1: 67bf3eaea4f0718cb376a181a629e5f88fa1c9dd
SHA256:34ed1e1f27fa896bca50dbc4e99cf3732967cec387a7a0d5e3486c09673fe8c6
Referenced In Project/Scope: waffle-jetty:compile
jna-5.14.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT

Identifiers

jna-5.14.0.jar: jnidispatch.dll

File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.14.0/jna-5.14.0.jar/com/sun/jna/win32-aarch64/jnidispatch.dll
MD5: f6bef568e690d361a5dcc165f5ad4b1f
SHA1: 05638a4aaafa689a6c246530823afdc18d3fd438
SHA256:b9d1479b9619b7ece4a36b6ae31365ffaf15a1355d4f6da02f8b5f09df2fa82f
Referenced In Project/Scope: waffle-jetty:compile

Identifiers

  • None

jna-5.14.0.jar: jnidispatch.dll

File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.14.0/jna-5.14.0.jar/com/sun/jna/win32-x86-64/jnidispatch.dll
MD5: 719d6ba1946c25aa61ce82f90d77ffd5
SHA1: 94d2191378cac5719daecc826fc116816284c406
SHA256:69c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
Referenced In Project/Scope: waffle-jetty:compile

Identifiers

  • None

jna-5.14.0.jar: jnidispatch.dll

File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.14.0/jna-5.14.0.jar/com/sun/jna/win32-x86/jnidispatch.dll
MD5: e15183ef9c6c255b76fda73d01ca7ecb
SHA1: f816f998c43204230d9ea3eecffb5f8372a32c2e
SHA256:38650a0612730c52580c9f32ff766b44b1c5a426d52e7dd7a53687bf3389ac2c
Referenced In Project/Scope: waffle-jetty:compile

Identifiers

  • None

jna-platform-5.14.0.jar

Description:

Java Native Access Platform

License:

LGPL-2.1-or-later: https://www.gnu.org/licenses/old-licenses/lgpl-2.1
Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna-platform/5.14.0/jna-platform-5.14.0.jar
MD5: 3bc3f09a698e6ad250dd093f64fbb8a7
SHA1: 28934d48aed814f11e4c584da55c49fa7032b31b
SHA256:ae4caceb3840730c2537f9b7fb55a01baba580286b4122951488bcee558c2449
Referenced In Project/Scope: waffle-jetty:compile
jna-platform-5.14.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT

Identifiers

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope: waffle-jetty:provided
jsr305-3.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.spotbugs/spotbugs-annotations@4.8.3

Identifiers

slf4j-api-2.0.11.jar

Description:

The slf4j API

License:

http://www.opensource.org/licenses/mit-license.php
File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/2.0.11/slf4j-api-2.0.11.jar
MD5: 90c46a2d4613049843c804867321e6a7
SHA1: ad96c3f8cf895e696dd35c2bc8e8ebe710be9e6d
SHA256:ce0e71d673acb9036bb55d0244b261cf033f8e4c1245f14f931dfb1937dd4c95
Referenced In Project/Scope: waffle-jetty:compile
slf4j-api-2.0.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT

Identifiers

spotbugs-annotations-4.8.3.jar

Description:

Annotations the SpotBugs tool supports

License:

GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
File Path: /home/runner/.m2/repository/com/github/spotbugs/spotbugs-annotations/4.8.3/spotbugs-annotations-4.8.3.jar
MD5: cd5917b77643c3a7ba5420aea78f940c
SHA1: 05d2dc4ca5b632976371155252499819aea372ed
SHA256:e5d4f60be8e57595766ba7f1d4535dc46aebf98dae05e16372a4d4120d3ebb6b
Referenced In Project/Scope: waffle-jetty:provided
spotbugs-annotations-4.8.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.